DMARC 101 (Part I) – S/MIME, SPF, and DKIM

In advance of MAAWG next week, we thought we’d go down memory lane and outline the history of email authentication that led to the creation of DMARC.

The first major effort to bring strong security to email was the S/MIME encryption and digital signing standard in the late 90’s, but despite a solid technical base and strong vendor support S/MIME did not achieve meaningful market penetration. This is largely due to the level of user action and involvement required to use S/MIME effectively, along with other logistics issues that make it difficult to deploy and manage. Starting in the mid-2000’s, a new set of security and authentication standards for email began to be used. There are two major standards that originated in that timeframe, solving two related aspects of the email security quandary. The first was the Sender Policy Framework, or SPF, standard. SPF allows email senders to specify which IP addresses are allowed to send email from a given domain, i.e. only IP 1.2.3.4 is allowed to send email from @fakedomain.com addresses, and to publish these policies in DNS records for the domains in question.

The second standard from this timeframe is DKIM, or Domain Keys Identified Mail. DKIM was created by merging two new technologies, Domain Keys (developed at Yahoo) and Identified Internet Mail (developed at Cisco). DKIM complements SPF by giving email senders a way to digitally sign all the outgoing email from a given domain, and publish in the DNS system the public key(s) necessary to validate those digital signatures. This lets the email recipient systems confirm that no changes have been made to the email since it was sent before delivering it to the end user’s inbox. Both SPF and DKIM share an important common attribute in that neither of them requires any change in behavior on the part of the end user. This made them much easier to deploy than S/MIME, and within a few years both SPF and DKIM were widely adopted. However, SPF and DKIM alone are not a complete solution to email authentication. There are a few elements of the equation missing even after an email sender has fully deployed both standards, and that is what led to the development of DMARC.